[VOIPSEC] An issue of trust?

Tyler Johnson trjohns1 at email.unc.edu
Thu Jun 15 19:35:04 CDT 2006 

You can't. That's why you have to implement security at the application 
layer. That means end to end encryption of media an signaling. However, US 
regulations for CALEA break that. If you do hop to hop security you really 
don't have any assurance of security beyond the next hop unless you are in a 
limited federation, but that doesn't scale to the whole Internet.

I think the bottom line is to work to get coherent policy implemented at the 
federal level in the U.S.

The other possibility is to think about a new protocol that is designed with 
security from the ground up, with wiretap in mind. H.325 offers an 
opportunity here, I think. I don't think it's going to work to reverse 
engineer this into SIP or H.323.


----- Original Message ----- 
From: <Ron_Cramer at cargill.com>
To: <Voipsec at voipsa.org>
Sent: Thursday, June 15, 2006 6:46 PM
Subject: Re: [VOIPSEC] An issue of trust?


> It appears I should clarify my question in regards to a Telecom Service 
> Provider
> vs an Internet Service Provider.
>
> Based on my experience, many enterprises would choose to trust telecom 
> service providers
> to keep data traffic private on a traditional layer 2 service such as 
> frame relay or voice
> services on POTS.  And, would choose not to trust Internet based 
> communication, but to
> mitigate the Internet based risk with firewalls, encryption tunnels, etc.
>
> Part of the logic used to differentiate between these two choices was that 
> the traditional layer 2
> services provided separation between the virtual private networks of the 
> many customers serviced
> by the Telecom Provider.  Since the packets are being forwarded at layer 2 
> the Telecom Provider
> had no awareness of anything related to the Internet Protocol.  This also 
> meant that the
> Telecom Service Providers customers could not use IP based attacks against 
> the carrier infrastructure.
>
> As Telecom Service Providers move to offer IP-ware services - MPLS, VoIP 
> or whatever
> the Telecom Service Providers are vulnerable to IP based attacks.  I know 
> there
> are many papers that state MPLS *can* be deployed with the same level of 
> security
> as a layer 2 service, but how can I *trust* the Telecom Service Provider 
> will invest
> the effort to operate a secure MPLS network.  Or, VoIP, or whatever?
>
> Thanks and regards,
>
> Ron
>
>
>
> -----Original Message-----
> From: Cramer, Ron - Ron_Cramer at cargill.com
> Sent: Thursday, June 15, 2006 1:19 PM
> To: 'Voipsec at voipsa.org'
> Subject: An issue of trust?
>
>
> The issue of trust for your Telecom service provider,
> either traditional or VoIP based seems to be a fundamental
> component for secure communications.
>
> Can anyone identify an industry standard that an
> Enterprise can use to establish trust with a Telecom
> vendor?  Something with well established decision
> criteria, not just a high level guide to performing a
> risk assessment.
>
> Thanks in advance,
>
> Ron
>
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>

More information about the Voipsec mailing list